CN110120934A - Method, software defined network controller and the medium of application firewall strategy - Google Patents
Method, software defined network controller and the medium of application firewall strategy Download PDFInfo
- Publication number
- CN110120934A CN110120934A CN201811443201.3A CN201811443201A CN110120934A CN 110120934 A CN110120934 A CN 110120934A CN 201811443201 A CN201811443201 A CN 201811443201A CN 110120934 A CN110120934 A CN 110120934A
- Authority
- CN
- China
- Prior art keywords
- application
- firewall
- signature
- strategy
- software defined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0806—Configuration setting for initial configuration or provisioning, e.g. plug-and-play
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0894—Policy-based network configuration management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/34—Signalling channels for network management communication
- H04L41/342—Signalling channels for network management communication between virtual entities, e.g. orchestrators, SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/20—Traffic policing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
This application involves the method for application firewall strategy, software defined network controller and media.Disclose a kind of software defined network (SDN) controller for executing the data center using aware firewall strategy.In one example, SDN controller receives example of the request to initialize application, and SDN controller sends message to the firewall component between the network being located in outside the SDN gateway and data center of data center in response to receiving request.In some instances, message includes and the corresponding application signature of example of application and application firewall strategy corresponding with application signature.Message indicates firewall component installation application firewall strategy to be applied to the network flow of the example of application.
Description
Technical field
The disclosure relates generally to computer networks, and relate more specifically to configure firewall plan in virtual network
Slightly.
Background technique
Cloud data center is in the data for provide the access to the storage of virtualization applications, service and data for external client
The heart.In typical cloud data center environment, there are a large amount of interlink servers, provide run various applications calculating (for example,
Calculate node) and/or memory capacity.For example, cloud data center include for cloud data center client's trustship virtualization applications and
The facility of service.For example, all infrastructure equipments of cloud data center trustship, such as, network and storage system, redundant power and
Environmental Kuznets Curves.In typical cloud data center, the cluster of storage system and application server passes through by one or more layers physics
The high-speed switch fabric interconnection that the network switch and router provide.More complicated cloud data center provides basis all over the world
Facility, wherein subscriber's holding equipment is located in various physics trustship facilities.
Software defined network (SDN) platform can be used for cloud data center, and in some cases, logic can be used
Upper concentration and the SDN controller physically dispersed and the distributed forwarding plane in virtual router, these virtual flow-lines
The network of physical router and interchanger in cloud data center is extended to void of the trustship in virtualized server by device
Quasi- overlay network.SDN controller provides management, control and the analytic function of virtualization network, and by logical with virtual router
Letter carrys out layout virtual router.
Summary of the invention
Generally, the present disclosure describes the technology for applying aware firewall strategy is executed by the SDN controller of data center.
In some instances, in response to receiving the request from the user for accessing the virtualization applications in cloud data center, SDN control
Device is by the application example in the virtual machine executed in one or more calculate nodes of cloud data center.In instantiation process
In, SDN controller, which specifically configures general and user, is applied to application, such as, network and firewall policy.Using possible quilt
Repeatedly instantiation and destruction, require to reconfigure and re-apply network and firewall policy every time.According to the skill of the disclosure
Art, SDN controller can determine the firewall policy of application, and be located at the SDN of data center using firewall policy configuration
The firewall component of Gateway External.Firewall policy can be applied to the network flow of application by firewall component.
One example of technology disclosed herein includes executing in cloud data center using aware firewall strategy
SDN controller.In one example, SDN controller receives request from user to initialize one or more in cloud data center
The example of the application in one or more virtual machines executed in a calculate node.SDN controller slave firewall component request with
The corresponding application signature of the example of application.SDN controller is retrieved from the application firewall policy library of SDN controller to be signed with application
The corresponding application firewall strategy of name.SDN controller provides the application firewall strategy in firewall component, and firewall group
Application firewall strategy is applied to the network flow of the example of application by part.Firewall component can be physical equipment or virtually set
It is standby.In the example of virtual firewall, virtual firewall can reside in the cloud of cloud data center or the cloud of cloud data center
Outside.In the example of physics fire wall, physics fire wall is present in outside the cloud of cloud data center, in the SDN net of cloud data center
It closes between external network.In the example there is no SDN gateway, firewall can be located at the extranets of cloud and cloud data center
Between pass.
In some instances, if there is no corresponding with application signature in the application firewall policy library of SDN controller
Application firewall strategy, then SDN controller generates application firewall strategy corresponding with application signature.In other examples, SDN
Controller receives application firewall strategy corresponding with application signature from manager.SDN controller deposits application firewall strategy
Storage is in application firewall policy library, so that application firewall strategy can be used for the subsequent instance of application by SDN controller.
Therefore, when the example of SDN controller first time instantiation application, SDN controller is application build network and prevents
Wall with flues strategy, and firewall component is configured so that such network and firewall policy are applied to application example and same application
Subsequent instance.Therefore, SDN controller can create the centralized repository using specific firewall policy, and can answer in creation
Configuration has the firewall component of the specific firewall policy of application as needed when example.The technology of the disclosure can letter
Change the management and configuration of firewall component.Therefore, the technology of the disclosure can permit SDN controller and provide for configuring and executing
The expansible and flexible method of firewall policy.
In one example, the present disclosure describes a kind of methods, this method comprises: by the software defined network of data center
(SDN) controller receives example of the request to initialize application;And it is requested in response to receiving, from SDN controller to being located in
Firewall component between network outside the SDN gateway of data center and data center sends message, message include: with
The corresponding application signature of the example of application;And application firewall strategy corresponding with application signature, wherein message instruction fire prevention
Wall component installs application firewall strategy to be applied to the network flow of the example of application.
In another example, the present disclosure describes a kind of software defined network of data center (SDN) controller, matched
It is set to: receiving example of the request to initialize application;And it is requested in response to receiving, to the SDN gateway for being located in data center
Firewall component between network outside equipment and data center sends message, and message includes: corresponding with the example of application
Application signature;And application firewall strategy corresponding with application signature, wherein message indicates that firewall component installation application is anti-
Wall with flues strategy is with the network flow of the example applied to application.
In another example, the present disclosure describes a kind of non-transitory computer-readable medium including instruction, these refer to
The one or more processors for making to execute the center of software defined network (SDN) controller when executed are enabled to execute following item:
Receive example of the request to initialize application;And requested in response to receiving, to be located in the SDN gateway of data center with
Firewall component between network outside data center sends message, and message includes: application label corresponding with the example of application
Name;And application firewall strategy corresponding with application signature, wherein message indicates that firewall component installs application firewall plan
Network flow slightly to be applied to the example of application.
The exemplary details of one or more of the technology of the disclosure is elaborated in the accompanying drawings and the description below.These technologies
Other features, purposes and advantages will become apparent by the description and the appended drawings and by claim.
Detailed description of the invention
Fig. 1 is the block diagram for showing the example network with data center, may be implemented to retouch herein in the data center
The example for the technology stated.
Fig. 2 is the block diagram for illustrating in greater detail the sample implementation of data center of Fig. 1.
Fig. 3 is the exemplary block diagram that the control node of SDN controller is illustrated in greater detail according to the technology of the disclosure.
Fig. 4 is the block diagram for showing the sample implementation of firewall component, be may be implemented in the firewall component herein
Described in technology example.
Fig. 5 is the flow chart that exemplary operations are shown according to the technology of the disclosure.
In all attached drawings and description, similar appended drawing reference indicates similar element.
Specific embodiment
Fig. 1 is the block diagram for showing the example network 5 with data center 10, wherein SDN controller 32 and 35, firewall
According to the technical operation of this language description to provide the execution of the firewall policy using perception.Generally, data center 10 is logical
Cross the operating environment that service provider network 6 is coupled to the offer application and service of client 4 of data center 10.10 support of data center
Pipe infrastructure equipment, such as, network and storage system, redundant power and environmental Kuznets Curves.Service provider network 6 can couple
To the one or more networks managed by other providers, and it therefore can form large-scale public network infrastructure
A part of (for example, internet).
In some instances, data center 10 can indicate many one of network data centers being geographically distributed.Such as Fig. 1
Example shown in, data center 10 is to provide the facility of network service for client 4.Client 4 can be such as business and government
Equal collectives' entity or individual.For example, network data center can be several enterprises and terminal user's hosted network services.Other
Example of service may include data storage, Virtual Private Network, traffic engineering, file service, data mining, science or super meter
Calculate etc..In some instances, data center 10 be individual networks server, network peer or other.
In this example, data center 10 includes by being provided by one or more layers physical network switch and router
The one group of storage system and application server that high-speed switch fabric 21 interconnects.Server 26A-26X (" server 26 ") is with counting
According to the calculate node at center.In some instances, term " calculate node " and " server " are used interchangeably herein to refer to
For server 26.For example, each server 26 can be provided for executing one or more client's particular virtual machines (in Fig. 1
" VM ") operating environment.Switching fabric 21 (is referred to as " TOR exchange by frame top formula (TOR) the interchanger 24A-24N of one group of interconnection
Machine 24 ") it provides, these interchangers are coupled to the distribution layer of posture interchanger 22A-22M (being referred to as " posture interchanger 22 ").Though
So be not shown, but data center 10 can also include for example one or more non-edge interchangers, router, hub, gateway,
Safety equipment (firewall, intrusion detection and/or intrusion prevention equipment etc.), server, terminal, calculating on knee
Machine, printer, database, wireless mobile apparatus (such as cellular phone or personal digital assistant), wireless access point, bridge, electricity
Cable modem, using accelerator or other network equipments.
In this example, the redundancy of TOR interchanger 24 and posture interchanger 22 to server 26 offer to IP structure 20 is (more
Host) connection.22 polymerization traffic stream of posture interchanger simultaneously provides high speed connection between TOR interchanger 24.TOR interchanger 24 is
The network equipment of the second layer (for example, MAC) and/or the 3rd layer (for example, IP) routing and/or function of exchange is provided.TOR interchanger
24 and posture interchanger 22 respectively include one or more processors and memory, and be able to carry out one or more software mistakes
Journey.Posture interchanger 22 is coupled to IP structure 20, which executes the 3rd layer of routing to pass through service provider network 6 in number
According to routing network traffic between center 10 and client 4.Software defined network (" SDN ") gateway 8 is used in IP structure 20 and service
Forwarding and received data packet between provider network 6.
According to one or more examples of the disclosure, SDN controller 32 is provided in logic and in some cases physically
The controller of concentration, for promoting the operation of one or more virtual networks in data center 10.Through the disclosure, term
SDN controller and Virtual Network Controller (" VNC ") may be used interchangeably.In some instances, SDN controller 32 is in response to warp
It is inputted from the received configuration of orchestration engine 30 by north orientation Application Programming Interface (API) 31 and operate, the interface and in response to from pipe
The reason received configuration of device 28 is inputted and is operated.It is grasped together with network about being defined with the other equipment of data center 10 or other software
The additional information of the SDN controller 32 of work can be entitled " for virtual network data packet stream what is submitted on June 5th, 2013
It being found in the international application no PCT/US2013/044378 of physical pathway determination ", this application is incorporated herein by reference, as
It is fully set forth herein the same.
In some instances, orchestration engine 30 manages the function of data center 10, such as, calculating, storage, network and application
Resource.For example, orchestration engine 30 can be interior for data center 10 or tenant's creation virtual network across data center.Orchestration engine
30 can be attached to virtual machine (VM) virtual network of tenant.The virtual network of tenant can be connected to certain by orchestration engine 30
A external network (for example, internet or VPN).Orchestration engine 30 can realize peace across one group of VM or to the boundary of tenant network
Full strategy.Orchestration engine 30 can in the virtual network of tenant on-premise network service (for example, load balancer).
In some instances, SDN controller 32 manage network and network service (such as, load balance, safety) and
Resource is distributed into various applications from server 26 via south orientation API 33.That is, south orientation API 33 indicates SDN controller
32 group communication protocols used, so that the virtual condition of network is equal to the expectation state specified by orchestration engine 30.For example, one
Communication protocol as kind may include the messaging protocols such as XMPP.For example, SDN controller 32 is handed over by configuring physics
It changes planes (for example, TOR interchanger 24, posture interchanger 22 and switching fabric 21), physical router, such as firewall and load are put down
The Virtual Services such as the virtual firewall in the physical services such as weighing apparatus node and VM realize the height from orchestration engine 30
Grade request.SDN controller 32 safeguards routing, network and the configuration information in slip condition database.SDN controller 32 is by routing iinformation
The agency of the virtual router (VR) on each server 26A-26X is transmitted to from slip condition database with the suitable subset of configuration information
36A-36X (" VA " in Fig. 1).
In general, the flow between any two network equipment is (such as, between the network equipment (not shown) in IP structure 20
Or the flow between server 26 and client 4 or between server 26) many different traversal path physical networks can be used.
For example, there may be the identical several different paths of cost between two network equipments.In some cases, belong to from a net
Network equipment to another network equipment network flow data packet can be used at each network switching node be referred to as it is more
The routing policy of path routing is distributed between various possible paths.For example, Internet Engineering special project group (IETF) RFC
2992 " analysis of equal cost multipath algorithm " is described for the route technology along multiple equal cost paths routing data packets.
The technology of RFC 2992 analyzes a kind of specific Multi-path route strategy, which is related to through hash data packet head field
By flow point dispensing branch mailbox, all data packets from particular network stream are sent by single certainty path.
For example, " stream " five values as used in packet header (or " five-tuple ", that is, agreement, source IP address,
Target ip address, source port and target port) it limits, it is used to route data packet by physical network.For example, agreement is specified logical
Believe agreement (such as, TCP or UDP), source port and target port refer to the source port and target port that connect.Match specific stream
One or more packet data units (PDU) of one group of entry indicate stream.Any parameter that PDU can be used is come widely
Stream is classified, such as, source and destination data link (for example, MAC) and the address network (for example, IP), virtual LAN
(VLAN) net of label, transport layer information, multiprotocol label switching (MPLS) or general MPLS (GMPLS) label and receiving stream
The ingress port of network equipment.For example, stream can be all PDU sent in transmission control protocol (TCP) connection, by specific
All PDU, all PDU with identical VLAN tag or connect at same switch port that MAC Address or IP address are initiated
All PDU received.
As described herein, each server 26 includes corresponding virtual router (" VR " in Fig. 1), is data center
Correspondence virtual network in 10 executes multiple routing instances, and routes a data packet in the operating environment that server provides and hold
Capable appropriate virtual machine.It for example can be with from the received data packet of bottom physical network arrangement by the virtual router of server 26A
Including external header, to allow physical network arrangement that payload or " internal data packet " tunnel are transmitted to for executing virtually
The physical network address of the network interface of the server 26 of router.External header not only may include the network interface of server
Physical network address, can also include virtual network identifier (such as, VxLAN label or multiprotocol label switching (MPLS)
Label), one of identification virtual network and the correspondence routing instances executed by virtual router.Internal data packet includes inside
Header, the inner header have the purpose in the virtual network addressing space for meeting the virtual network by virtual network identifier identification
Ground network address.
In some respects, virtual router buffered before being delivered to for the appropriate routing instances of data packet and polymerize from
The received multiple channel packages (tunneled packet) of bottom physical network arrangement.That is, on one of server 26
The virtual router of execution can be from the inbound channel package of 24 received data packet stream of TOR interchanger, and by channel package
It is routed to before the virtual machine locally executed, treatment channel package is to construct the single converging channels envelope for being forwarded to virtual machine
Packet.That is, virtual router can buffer multiple inbound channels package and construct single channel package, plurality of channel
The payload of package is combined into single payload, and the outside on the package of channel/covering header is removed and replaced
For single header virtual network identifier.In this way, converging channels package can be forwarded to virtual machine by virtual router,
It just look like that receive single inbound channel package from virtual network the same.In addition, in order to execute converging operation, virtual router can
To utilize the unloading engine based on kernel, the engine is seamless and the automatically polymerization of guiding channel package.Entitled " for virtual
Virtual router is described in the U.S. Patent application 14/228,844 of the data packet segmentation offloading of network " to forward the traffic to
Other example techniques of the client's particular virtual machine executed on server 26, it is incorporated herein by reference.
In the example of fig. 1, SDN controller 32 learns and will route to be distributed to number with other information (such as configuration information)
According to all calculate nodes in center 10.When receiving routing iinformation from SDN controller 32, the VR that is run in calculate node
Agency 36 is usually programmed data forwarding elements (virtual router) with forwarding information.SDN controller 32 is using such as
The messaging protocols such as XMPP protocol rather than the more heavyweight such as use the Routing Protocol of similar Border Gateway Protocol (BGP)
Agreement is acted on behalf of 36 transmission routings and configuration information to VR.In XMPP, SDN controller 32 and agency are transmitted by same channel
Routing and configuration.When receiving virtual flow-line from VR agency 36, SDN controller 32 is used as messaging protocol client, and
And VR agency 36 is used as messaging protocol server in this case.In contrast, when SDN controller is sent to VR agency 36
When routing, SDN controller 32 is used as the messaging protocol service for the VR agency 36 as messaging protocol client
Device.
Firewall 35 by firewall policy be applied to the one or more application that is executed on the virtual machine of server 26 with
It is flowed between other equipment (being such as connected to those of data center 10 via service provider network 6) outside data center 10
Dynamic network flow.Complicated safety regulation may be implemented in firewall 35, is provided with entering in network flow by data center 10
Private clound (for example, be used for IT department) or the mixed cloud that is provided by data center 10 (for example, using public cloud and private clound
Combined cloud) allow or prevent the network flow outside data center 10 before.In the example of fig. 1, firewall 35 is located at SDN
The external side of gateway 8, for example, network (such as service provider network 6) outside SDN gateway 8 and data center 10
Between upstream router.In other examples, firewall 35 executes calculating equipment (such as server as data center 10
26) virtual network function (VNF) on cluster.
In some instances, firewall 35 enforces each firewall policy in port and protocol rank.Show at other
In example, firewall 35 enforces each firewall policy (for example, can permit Hyper text transfer in the 7th layer of application level of OSI
Agreement (HTTP) flow, while preventing Secure Socket Layer (SSL) flow).In one example, each firewall policy limits more
A network flow rule.In some instances, firewall 35 can be based on 5 tuples rule (for example, the 3rd layer or the 4th layer fire prevention
Wall), based on accesses control list (ACL) or based on 5 tuples and application identifier (ID) or signature (for example, the 7th layer of fire prevention
Wall) prevent flow.Each network flow rule may include at least one source IP address, at least one source port, at least one
A destination IP address, at least one destination port, agreement;Can specify whether network flow rule is based on application;Side
To (for example, entrance or rate of discharge);And it can further specify that pattern-matching rule (for example, regular expression).One
In a little examples, network flow rule further from source and can go to the network flow of destination and specify corresponding license
Movement (for example, prevent flow, allow flow, record flow or report flow to manager).
In some instances, the source of network flow and the destination of network flow be by one or more network address and/
Or one or more subnets expressions.For example, being based on firewall policy, firewall 35 can be prevented or be allowed flow into or from one
The network flow of a or multiple applications.For example, being based on the first firewall policy, firewall 35 can prevent to be originated from the first firewall
The specified one or more addresses of strategy and destination are the network flow of one or more application.As another example, it is based on
Second firewall policy, firewall 35 can permit the one or more addresses specified from the second firewall policy and destination
For the network flow of one or more application.As another example, it is based on third firewall policy, firewall 35 can prevent source
From one or more application and using the specified one or more addresses of third firewall policy as the network flow of destination.As
Another example, is based on the 4th firewall policy, and firewall 35 can permit from one or more application and with the 4th firewall
The specified one or more addresses of strategy are the network flow of destination.
In some instances, firewall 35 is that data center 10 executes data packet forwarding and Packet Filtering service.One
In a little examples, firewall 35 is physics fire wall component and the combination including hardware or hardware and software.In other examples,
Firewall 35 is virtual firewall component and the software including executing on one or more virtual machines, and in some cases
Under, (multiple) virtual machine may reside in the equipment outside cloud and route in the upstream of SDN controller 23 and external network
Between device.In some instances, firewall 35 is a part of the foundation structure of data center 10.In other examples, it prevents fires
Wall 35 is operated by the third party on the network that separates with data center 10.
According to the technology of the disclosure, SDN controller 32 is the firewall policy that cloud data center 10 practices perception
It executes.In one example of the technology being described herein, data center 10 provides private clound to one or more clients 4, and
And installation application, creation tenant and instantiation virtual machine can be enabled to execute application as required.SDN controller 32
Can with application network permit or firewall policy come control which client it is accessible which application.In one example, SDN is controlled
Device 32 processed determines the firewall policy for application, and is located at outside the SDN gateway 8 of data center 10 using firewall policy configuration
The firewall 35 in portion.Firewall policy can be applied to the network flow of application by firewall 35.
The SDN gateway application executed on SDN gateway 8 can with authorized user (such as, one outside data center 10 or
Multiple clients 4) pass through firewall 35 and the access of SDN gateway 8 data center 10.10 (example of data center is authorized in client 4
Such as, client 4 belongs to the secure group for being authorized to the application of data center) after, SDN controller 32 is received from client's 4
Request, to access the application provided by data center 10.In response to the request, virtual machine of the SDN controller 32 in server 26A
The interior example for instantiating the application.In alternative exemplary, example that SDN controller 32 instantiates application in container.Using can
It include: one or more network-based applications, such as, web browser or e-mail applications;Nesting application, such as, depending on
Frequency levelling platform or social media platform;Evade application (for example, application that dynamic changes port);Or other kinds of application.?
In instantiation process, SDN controller 32, which specifically configures general and user, is applied to application example.
In addition, SDN controller 32 can inquire application signature corresponding with application example to firewall 35, such as, if
The record for the application signature that SDN controller 32 is applied not yet.In some instances, application signature is using exclusive mark
Symbol.For example, application signature can describe the type of application or the version number of application, distinguished so as to apply with other application
It opens.As shown in fig. 1, in response to inquiry, firewall 35 sends the message 36 including application signature to SDN controller 32.
SDN controller 32 retrieves application firewall strategy corresponding with application signature from application firewall policy library 38.?
In some examples, it is key that application firewall policy library 38, which is by application signature and application firewall policy store: the number being worth pair
According to library.In other words, application signature can be used to retrieve application firewall plan corresponding with application signature in SDN controller 32
Slightly.SDN controller 32 for example by via such as network configuration protocol (NETCONF) Network Management Protocol send message 37 come
Application firewall strategy is provided to firewall 35.In some instances, SDN controller 32 is that firewall 35 provides one or more
Application firewall strategy, so that the firewall rule of application firewall strategy is applied to the network flow of application example by firewall 35
Amount.Such firewall rule may include based on " 5 tuple " rule, the rule of ACL or other firewall filterings.In addition, using
Firewall policy can limit the firewall rule based on application signature.
In some instances, SDN controller 32 can receive the session that user is over he or she and application from user
Instruction.In response to the instruction, application example is destroyed or deallocated to SDN controller 32.In addition, the configuration of SDN controller 32 is anti-
Wall with flues 35 is to remove application firewall strategy corresponding with the application signature of application example.For example, SDN controller 32 is to firewall
35 send message, and instruction firewall 35 deletes the application firewall plan of application corresponding with application signature from the strategy that it is stored
Slightly.
In some instances, application firewall policy library 38 does not include application firewall strategy corresponding with application signature.
In one example, SDN controller 32 is for example in response to determining that it is corresponding with application signature that application firewall policy library 38 does not include
Application firewall strategy, generate corresponding with application signature application firewall strategy.For example, SDN controller 32 can be used
General purpose firewall template including one or more general purpose firewall strategies generates application firewall corresponding with application signature
Strategy.In other examples, SDN controller 32 inquires application firewall strategy corresponding with application signature to manager.SDN control
Device 32 processed by newly created application firewall policy store in application firewall policy library 38 so that SDN controller 32 can be with
Application firewall strategy is used for the subsequent instance of the application.
In this way, in some instances, when SDN controller 32 instantiates the example of application for the first time, SDN control
Device 32 is the application build network and firewall policy.In addition, SDN controller 32 configures firewall 35 with by this network and anti-
Wall with flues strategy is applied to the subsequent instance of application example and same application.Therefore, SDN controller 32 can be created using specific
Firewall policy centralized repository, and can configuration has the specific fire prevention of application as needed in the example of creation application
The firewall 35 of wall strategy.The technology of the disclosure can simplify the management and configuration of firewall component (such as, firewall 35).Cause
This, the technology of the disclosure can permit SDN controller 32 and provide for configuring and executing the expansible and flexible of firewall policy
Method.
Fig. 2 is the block diagram for illustrating in greater detail the sample implementation of data center 10 of Fig. 1.In the figure 2 example,
SDN controller 32 includes one or more analysis node 50A-50X (being referred to as " analysis node 50 "), one or more configuration sections
Point 52A-52X (being referred to as " configuration node 52 ") and control node 54A-54X (being referred to as " control node 54 ").Generally, it saves
Each of point 50,52 and 52 can be implemented as individual software process, and these nodes can be across offer for executing
Multiple hardware computing platforms of the environment of software are distributed.In addition, each node maintenance status data 56, status data be can store
In centralized or distributed database.In some instances, slip condition database 56 is NoSQL database.In some instances,
Slip condition database 56 is data-base cluster.
Generally, the task of analysis node 50 be collect, storage, association and analyze virtual in data center 10 and
The information of physical network elements.The information may include the statistics of the routing and network configuration for managing data center 10, day
Will, event and mistake.Analysis node 50 stores that information in slip condition database 56.
Configuration node 52 by the high-level data model conversion of orchestration engine 30 at be suitable for network element (such as, physics
22,24 and VR of interchanger acts on behalf of the lower level model of 36) interaction.Configuration node 52 keeps SDN to control in slip condition database 56
The persistent copy of the configuration status of device 32.
Control node 54 realizes the Logical central control plane for being responsible for the of short duration network state of maintenance.Control node 54 is handed over each other
Mutually and with network element (such as server 26 VR agency 36 and virtual router 42) interact, with ensure network state finally with
The specified expectation state of orchestration engine 30 is consistent.Generally, control node 54 receives matching for SDN controller 32 from configuration node 32
Status information is set, and exchanges routing each other via IBGP to ensure all control nodes 54 network state having the same.This
Outside, control node 54 is come to exchange routing with the VR agency 36 on server 26 via XMPP.Control node 54 is also by configuration status
Information (such as, routing instances and forwarding strategy) is for example transmitted to VR agency 36 via XMPP, corresponding virtual to be mounted on
In router 42.In some instances, control node 54 can act on behalf of flow with representative server 26.It can be received by XMPP
These proxy requests.In addition, control node 54 is come to exchange routing with SDN gateway 8 via BGP, and come and service via NETCONF
The configuration status of the exchange SDN controller 32 of node 21.
Configuration node 52 provides the service of exploration, and it is available various in network to position that the exploration service can be used in client 4
Service.For example, if VR acts on behalf of 36A, trial is connect with control node 54A, the exploration service that it is provided using configuration node 52
To explore the IP address of control node 54A.The client executed on VM 48 can be used be locally configured, DHCP or DNS come
Service discovery server is positioned in configuration node 52.
In some instances, the north orientation API docked with orchestration engine 30 is presented in configuration node 52.Orchestration engine 30 uses should
Interface installs configuration status using high-level data model.Configuration node 52 further includes messaging bus, with promote internal component it
Between communication.Configuration node 52 further includes converter, finds the variation in the high level model of orchestration engine 30 and becomes these
Change the corresponding change in the low level data model for being transformed to be managed by SDN controller 32.Configuration node 52 further includes IF-MAP clothes
Business device provides south orientation API so that the low-level configuration of calculating is pushed to downwards control node 54.In addition, configuration node 52 includes
Distributed application manager, distributed application manager is for distributing exclusive object identifier and realizing thing across data center 10
Business.
According to the technology of the disclosure, one or more control nodes 54 of SDN controller 32 are the implementation of cloud data center 10
Using the execution of the firewall policy of perception.In one example, one or more control nodes 54 are from user (such as client 4
One of) receive the request that the application provided by data center 10 is provided.In response, one or more control nodes 54 are by XMPP
Message is sent to server 26A, to indicate that the VM 48 of server 26A executes the example applied.In instantiation process, one
Or general and user can specifically be configured and be applied to application example by multiple control nodes 54.
In addition, one or more control nodes 54 for example send firewall 35 for inquiry 202 via REST be used for
The corresponding application signature of application example.In response to inquiry 202, firewall 35 to one or more control nodes 54 offer include with
The response 204 of the corresponding application signature of application example.One or more control nodes 54 are retrieved from application firewall policy library 38
Application firewall strategy corresponding with application signature.It includes application fire prevention that one or more control nodes 54 are sent to firewall 35
The NETCONF message 206 of wall strategy.In other examples, one or more control nodes 54 will include application firewall strategy
Configuration information be pushed directly to firewall 35.Application firewall strategy is applied to the network flow of application example by firewall 35
Amount.Although one or more control nodes 54 and firewall 35 form message using NETCONF agreement in aforementioned exemplary
202,204 and 206, but in other examples, other agreements can be used in one or more control nodes 54 and firewall 25
Form message 202,204 and 206, such as, BGP, Google remote procedure call (" gRPC "), OpenConf, REST,
RESTCONF, OpenFlow, OpenConfig, Simple Network Management Protocol (SNMP), XMPP or other kinds of open source are general
RPC frame.
In some instances, one or more control nodes 54 can from user receive user have finished on he or she with
The instruction of the session of application, or can receive using the instruction terminated.In response to the instruction, one or more control section
Application example is destroyed or deallocated to point 54.Disappear in addition, one or more control nodes 54 send NETCONF to firewall 35
Breath, the message make firewall 35 remove application firewall strategy corresponding with the application signature of application example.
In some instances, application firewall policy library 38 does not include application firewall strategy corresponding with application signature.
In one example, one or more control nodes 54 generate application firewall strategy corresponding with application signature.For example, one
Or multiple control nodes 54 the general purpose firewall template including one or more general purpose firewall strategies can be used limit with
The corresponding application firewall strategy of application signature.In other examples, one or more control nodes 54 to manager inquiry with
The corresponding application firewall strategy of application signature.For example, one or more control nodes 54 can provide user interface, manager
User interface can be used limit with application signature using corresponding application firewall strategy.Via user interface
After receiving the data for limiting application firewall strategy, one or more control nodes 54 exist application firewall policy store
In application firewall policy library 38.Application firewall strategy can be reused for same application by one or more control nodes 54
Subsequent instance.
Therefore, using the technology of the disclosure, when one or more control nodes 54 instantiate the example of application for the first time,
The one or more control node 54 is application build network and firewall policy, stores the policies into the strategy in application firewall
Library 38 simultaneously configures firewall 35 so that this network and firewall policy to be applied to the subsequent reality of application example and same application
Example.This technology described herein can be used to create using specific firewall policy in one or more control nodes 54
Centralized repository, and can to use the firewall policy specific to application as needed anti-to configure in the example of creation application
Wall with flues 35.The technology of the disclosure can simplify the management and configuration of firewall component.Therefore, the technology of the disclosure can permit
SDN controller (such as, SDN controller 32) provides the expansible and flexible method for configuring and executing firewall policy.
The framework of data center 10 shown in Fig. 2 is shown merely for exemplary purpose.It can be in the sample data of Fig. 2
Technology described in the disclosure is realized in center 10 and other kinds of data center not specifically described herein.This public affairs
Any content in opening all is not necessarily to be construed as the technical restriction of the disclosure in exemplary architecture shown in Fig. 2.
Fig. 3 is the exemplary block diagram that the control node of SDN controller is illustrated in greater detail according to the technology of the disclosure.Control
Node 54 is configured as communicating with multiple other kinds of nodes, these nodes include configuration node 52A-52X (" configuration node
52 "), other control nodes 54B-54X, calculate node 62A-62X (" calculate node 62 ") and gateway node 72A-72N
(" gateway node ").Control node 54A is that agreement 70 provides the operating environment of execution.Agreement 70 may include such as XMPP process
70A, NETCONF protocol procedures 70B, BGP process 70C and IF-MAP process 70D.In addition, control node 54A includes fire prevention wall coil
Device process 74 is managed, for configuring firewall 35 using application firewall strategy.
Control node receives configuration status from configuration node using IF-MAP.Control node is controlled using IBGP with other
Node switching routing, to ensure all control nodes network state having the same.Control node is saved using XMPP with calculating
VRouter agency's exchange routing on point.Control node also uses XMPP to send configuration status, such as, routing instances and forwarding
Strategy.Control node represents calculate node to act on behalf of certain form of flow.These proxy requests are received also by XMPP.Control
Node exchanges routing with gateway node (router and interchanger) using BGP.Control node also uses NETCONF to send configuration
State.
Control node 54A is using interface to metadata access point (IF-MAP) process 70D from one in configuration node 52
Or multiple configuration nodes receive configuration information.IF-MAP process 70D may include the circuit for executing software instruction, these are soft
Part is instructed for sending and receiving communication from configuration node 52 according to IF-MAP agreement.IF-MAP process 70D will be from configuration node
52 received configuration informations are stored to configuration status 66 (" configuration status 66 ").
Control node 54A uses BGP process 70C and bgp peer (including control node 54B-54X and gateway node 72)
Exchange BGP message.Gateway node 72 may include one or more SDN gateways, such as, SDN gateway 8.BGP process 70C can be with
Including the circuit for executing software instruction, these software instructions according to bgp protocol using control node 54B-54X for being sent
With reception BGP message.BGP process 70C will be received from from the bgp route advertisement of gateway node 72 and control node 54B-54X
Routing iinformation storage to routing iinformation 65.
Control node 54A exchanges message with calculate node using XMPP process 70A according to XMPP.Control node 54A via
XMPP session 64A-64B (" XMPP session 64 ") exchanges message.Calculate node 62 can correspond to the server 26 of Fig. 1 to Fig. 3.
XMPP process 70A may include the circuit for executing software instruction, these software instructions by according to XMPP protocol come with based on
Operator node 62 exchanges XMPP message.In March, 2011 P.Saint-Andre scalable message transmitting and there are agreements
(XMPP): XMPP being described in further detail, entire contents are incorporated herein by reference in Core, IETF RFC 6120.
Depending on context, the control node 54A XMPP process 70A of control node 54A (and more specifically) can be used
Make the XMPP client or XMPP server relative to one of calculate node 62.For example, control node 54A may be used as XMPP clothes
Business device, and calculate node 62 can be the information (use such as, from configuration status 66 subscribed to and issued by control node 54A
In the configuration information of each calculate node 62 and routing iinformation from the routing iinformation 65 for belonging to each calculate node 62)
XMPP client.As another example, control node 54A may be used as calculating the one or more as XMPP server
The XMPP client of node 62, wherein control node 54A subscribes to the information issued by calculate node 62, such as, by calculate node
62 routing iinformations known from other sources.XMPP process 70A is received from calculate node 62A via XMPP session 64A and is routed, and will
Routing iinformation 65 is arrived in routing storage.BGP process 70C, and BGP process can be leaked to by the routing that XMPP process 70A learns
70C successively can send bgp route advertisement to its bgp peer, these notices, which are noticed via XMPP from calculate node 62, to be known
Routing iinformation 65.In some instances, the NETCONF process 70B of control node 54A enable control node 54A via
NETCONF agreement to communicate with gateway node 72.
According to the technology of the disclosure, control node 54A using firewall manager 74 by gateway 72 (for example, via
NETCONF) come to exchange message with firewall 35.In other examples, control node 54A is using firewall manager 74 via another
One communication protocol (such as, BGP, gRPC, OpenConf, REST, RESTCONF, OpenFlow, OpenConfig, SNMP, XMPP
Or the other kinds of general RPC frame of open source) to exchange message and application signature with firewall 35.In some instances, it controls
Node 54A exchanges message with firewall 35 via HTTP/2 bidirectional flow using firewall manager 74.In one example, it controls
Node 54A processed sends the inquiry of application signature corresponding with application example via REST to firewall 35.Gateway node 72N is received
Firewall 35 is inquired and forwards the query to, firewall, which is provided via gateway 72N to firewall manager 74, includes and using real
The response of the corresponding application signature of example.Control node 54A is inquired using firewall manager 74 to application firewall policy library 38
Application firewall strategy corresponding with application signature.Control node 54A is received from application firewall policy library 38 and application signature
Corresponding application firewall strategy.Control node 54A is prevented fires using firewall manager 74 with application corresponding with application signature
Wall strategy configures firewall 35.For example, control node 54A includes to the transmission of firewall 35 via agreements such as NETCONF
The message of application signature and application firewall strategy corresponding with application signature.In response to receiving the message, firewall 35 is pacified
Application firewall strategy corresponding with application signature is filled, and application firewall strategy is applied to the network flow of application example.
In some instances, control node 54A receives the finger that user is over he or she and the session applied from user
Show.In response to the instruction, control node 54A destroys or deallocates application example.In addition, control node 54A is to firewall 35
Message is sent, which makes firewall 35 remove application firewall strategy corresponding with the application signature of application example.
In some instances, application firewall policy library 38 does not include application firewall strategy corresponding with application signature.
In this example, control node 54A using firewall manager 74 come to application firewall policy library 38 inquiry and application signature
Corresponding application firewall strategy.It is anti-not comprising such application that control node 54A receives instruction application firewall policy library 38
The BGP message of wall with flues strategy.In one example, control node 54A is generated and application signature using firewall manager 74
Corresponding application firewall strategy.For example, firewall manager 74 may include general purpose firewall template comprising one or more
The one or more general purpose firewall strategy can be used to limit and apply label in a general purpose firewall strategy, control node 54A
The corresponding application firewall strategy of name.
In other examples, control node 54A inquires application firewall strategy corresponding with application signature from manager.Control
Node 54A processed receives application firewall strategy corresponding with application signature via user interface 76.In some instances, Yong Hujie
Face 76 is graphic user interface, and in other examples, user interface 76 is Command Line Interface.In some instances, control section
The one or more application provided by the virtual machine of the server 26 of Fig. 1 is presented via user interface 76 by point 54A.Control node
54A receives the selection to one or more application from manager and via user interface 76.In response to the selection, control node 54
Interface is provided via user interface 76, it includes one or more nets for selected application that interface restriction, which can be used, in manager
The one or more application firewall policy of network flow rule.Control node 54 receives and application signature pair via user interface 76
The restriction application firewall strategy answered.
After defining application firewall strategy, control node 54A uses firewall manager 74 to application firewall
Policy library 38 sends the BGP message including application signature and application firewall strategy.Application firewall policy library 38 will be using label
Name and application firewall policy store are for the subsequent key used: value pair.In addition, control node 54A uses fire prevention wall coil
Reason device 74 has the firewall 35 of the application firewall strategy newly limited as described above to configure.Therefore, control node 54A can
Known with executing the application signature of new opplication signature, limit application firewall strategy corresponding with new opplication signature and is same
The subsequent instance of one application reuses the application firewall strategy of restriction.
In some instances, application firewall policy library 38 is remained the one of the status data 56 of Fig. 2 by control node 54A
Part.In some instances, application firewall policy library 38 is stored in centralized or distributed database by control node 54A
In.In some instances, application firewall policy library 38 is the NoSQL database in data center 10.In some instances, it answers
With the data-base cluster that firewall policy library 38 is in data center 10.
Therefore, control node 54A is application build network and firewall policy using firewall manager 74, and is being applied
Associated strategy is stored in firewall policy library 38.In addition, control node 54A configures fire prevention using firewall manager 74
Wall 35 is to be applied to the example of application and the subsequent instance of same application for this network and firewall policy.Therefore, it controls
Firewall manager 74 and application firewall policy library 38 can be used to create using specific firewall policy in node 54A
Centralized repository, and the firewall policy specific to application can be used as needed in the example of creation application to configure fire prevention
Wall 35.
Fig. 4 is the block diagram for showing the sample implementation of firewall 35, be may be implemented in the firewall described herein
Technology example.In the example of fig. 4, firewall 35 include application signature service 402, application firewall policy service 404,
Application firewall policy library 406 and data packet forwarding component (PFC) 408.In some instances, in addition to provide firewall services it
Outside, firewall 35 also executes packet-switching, routing or filtering function.In some instances, firewall 35 is physics fire wall
Component and combination including hardware or hardware and software.In other examples, firewall 35 be virtual firewall component and
Including the software executed on one or more virtual machines.In some instances, firewall 35 is the basis knot of data center 10
A part of structure.In other examples, firewall 35 is operated by the third party on the network that separates with data center 10.
According to the technology of the disclosure, firewall 35 disappears from the REST for the application signature that SDN controller 32 receives request application
Breath, and responded with the message of the application signature of the specified application of instruction.In the example of fig. 4, firewall 35 uses agreement 470
One or more of (such as, gRPC agreement 470A, NETCONF agreement 470B, bgp protocol 470C, OpenConf agreement
One or more of 470D, REST agreement 470E or RESTCONF agreement 470F) disappear to handle from SDN controller 32 is received
Breath.In some instances, application firewall policy service 404 determines the application signature that the received message request of institute is applied.It is connect
The message of receipts can specify the title of the application of request application signature.
In response to the received message of institute, application signature service 402, which generates, applies exclusive identifier, and uses the identifier
As application signature.In other examples, application signature service 402 determines exclusive information (such as, the class of application about application
The version number of type or application), and application signature is generated using the exclusive information.In some instances, application signature is application
Type or application version number.Application signature service 402 generate include with using corresponding application signature message, and via
REST agreement 470B sends a message to SDN controller 32.In other examples, application signature service 402 is via another agreement
(such as via gRPC or via HTTP/2 bidirectional flow) sends a message to SDN controller 32.
In another example, application signature service 402 detects the flow of unknown applications and develops the application label of unknown applications
Name.For example, application signature service 402 can know the new opplication signature of new attack.In such an example, application signature service
The behavior of 402 monitoring unknown applications is to generate using exclusive identifier.Application signature service 402 uses the identifier as answering
With signature.In some instances, application signature service 402 will be obtained via the message (for example, REST message) of specified application signature
The application signature known is supplied to SDN controller 32.This allows SDN controller 32 to update application firewall policy library 38 to include new
Application signature, allow the more recent application signature holding of SDN controller 42 and firewall 35 synchronous.
In another example, firewall 35 receives specified application signature from SDN controller 32 and one or more application is anti-
The message (for example, NETCONF message) of wall with flues strategy, to be used together with the application example for corresponding to application signature.In response to
The message is received, application firewall policy service 404 will one or more application firewall policy corresponding with application signature
(for example, as key: value to) is stored in application firewall policy library 406, and then by one or more application firewall
Strategy is applied to the network flow of application corresponding with application signature.
For example, the PFC 408 of firewall 35 receives one or more network flows of application example via inbound 410A
Measure one or more data packets of stream.Application firewall policy service 404 is that one or more application firewall plan is applied in application
Slightly, and by the storage of application firewall policy library 406 to one or more data packets.For example, PFC 408 is via outbound link 410B
Forward the data packet of the one or more network flow streams allowed by one or more application firewall policy.In addition, PFC 408
Abandon the data packet for the one or more network flow streams forbidden by one or more application firewall policy.
In another example, firewall 35 receives specified application signature from SDN controller 32 and indicates that firewall 35 removes
The message (for example, NETCONF message) of one or more application firewall policy corresponding with the application signature.In response to being connect
The message of receipts, application firewall policy service 404 stop being applied to one or more application firewall policy to sign with the application
The network flow of the corresponding application of name.Application firewall policy service 404 is removed from application firewall policy library 406 and is answered with this
With corresponding one or more application firewall policy of signing.
Fig. 5 is the flow chart that exemplary operations are shown according to the technology of the disclosure.For convenience, Fig. 5 is described with reference to Fig. 1.
In the example of hgure 5, SDN controller 32 receives the request (502) of initialization application example.In response to the request,
The application is instantiated in the virtual machine that SDN controller 32 executes on the server 26 of data center 10.In instantiation process,
General and user is specifically configured (such as, network and firewall policy) and is applied to application by SDN controller 32.
32 slave firewall 35 of SDN controller requests application signature (504) corresponding with application example.In the example of hgure 5,
Firewall 35 is located between the SDN gateway 8 and service provider network 6 of data center 10.Firewall 35 provides application signature
To SDN controller 32.In some instances, SDN controller 32 sends looking into for request application signature to firewall 35 via REST
It askes.32 slave firewall 35 of SDN controller receives the REST including requested application signature and responds.
SDN controller 32 retrieves application firewall strategy corresponding with application signature from application firewall policy library 38
(506).In one example, each application firewall strategy limits multiple network flow rules.Each network flow rule can
With include at least one source, at least one destination and be originated from source and go to destination network flow corresponding license it is dynamic
Make (for example, prevent flow, allow flow, record flow or report flow to manager).SDN controller 32 is sent out to firewall 35
Message is sent, which indicates that firewall 35 installs application firewall strategy and application firewall strategy is applied to application example
Network flow (508).For example, SDN controller sends NETCONF message to firewall 35, which specifies application signature and refers to
Show that firewall 35 is that application firewall strategy is installed in application corresponding with application signature.
Technology described in the disclosure may be at least partially implemented in hardware, software, firmware or any of above combination.
For example, the various aspects of described technology can be realized in one or more processors, processor includes one or more micro-
Processor, digital signal processor (DSP), specific integrated circuit (ASIC), field programmable gate array (FPGA) or it is any its
Any combination of his equivalent integrated or discrete logic and such component.Term " processor " or " processing circuit " are total
It may refer to any one of foregoing logic circuitry on body, individually or with other logic circuits combine or any other equivalent electricity
Road.Control unit including hardware can also execute one or more of technologies of the disclosure.
Such hardware, software and firmware may be implemented in the same device or in different equipment, to support this public affairs
Various operations and functions described in opening.In addition, any described unit, module or component can together or separately as
The logical device of independent component but cooperating is realized.The purpose that different characteristic is described in the form of module or unit is prominent
In terms of different function and do not necessarily imply that these modules or unit must be realized by individual hardware or component software.Phase
Instead, function associated with one or more modules or unit can be executed or be integrated in by individual hardware or component software
In the component in hardware or software collectively or individually.
It is including computer-readable medium (such as, the meter of instruction that technology described in the disclosure, which can also be embodied or be encoded,
Calculation machine readable storage medium storing program for executing) in.The instruction for embedding or encoding in a computer-readable storage medium can make programmable processor
Or other processors for example execute method when instruction execution.Computer readable storage medium may include random access memory
(RAM), read-only memory (ROM), programmable read only memory (PROM), Erasable Programmable Read Only Memory EPROM (EPROM), electricity
Erasable Programmable Read Only Memory EPROM (EEPROM), flash memory, hard disk, CD-ROM, floppy disk, cassette tape, magnetic medium, optics are situated between
Matter or other computer-readable mediums.
Various examples have been described.These and other examples are within the scope of the appended claims.
Claims (22)
1. a kind of method of application firewall strategy, comprising:
Example of the request to initialize application is received by the software defined network controller of data center;And
In response to receiving the request, from the software defined network controller to the software definition for being located in the data center
Firewall component between network outside network gateway device and the data center sends message, and the message includes:
Application signature corresponding with the example of the application;And
Application firewall strategy corresponding with the application signature,
Wherein, the message indicates that the firewall component installs the application firewall strategy to be applied to the institute of the application
State the network flow of example.
2. according to the method described in claim 1, further include:
Institute corresponding with the example of the application is requested from the firewall component by the software defined network controller
State application signature;And
It is retrieved from the application firewall policy library of the software defined network controller by the software defined network controller
The application firewall strategy corresponding with the application signature, the application firewall strategy to be applied to the application institute
State the network flow of example.
3. according to the method described in claim 2, further include:
Determine that the application firewall policy library does not include corresponding with the application signature by the software defined network controller
The application firewall strategy;
The application firewall strategy is generated by the software defined network controller;And
By the application firewall policy store in the application firewall policy library.
4. according to the method in claim 2 or 3, further includes:
The data for limiting the application firewall strategy are received by the software defined network controller;And
By the application firewall policy store in the application firewall policy library.
5. according to the method in claim 2 or 3, wherein the example of the application includes the first reality of the application
Example, and the application signature corresponding with the example of the application includes corresponding with first example of the application
The first application signature,
The method also includes:
Request is received to initialize the second example of the application by the software defined network controller;
It is corresponding with second example of the application from firewall component request by the software defined network controller
The second application signature, wherein second application signature is identical as first application signature;
By the software defined network controller from the application firewall policy library of the software defined network controller
Retrieve the application firewall strategy;And
The application firewall strategy is provided from the software defined network controller to the firewall component.
6. according to the method in any one of claims 1 to 3, wherein the application signature identifies the type of the application
At least one of or in the version number of the application.
7. according to the method in any one of claims 1 to 3, wherein the application firewall strategy limits the following terms
At least one of in:
The application is forbidden to be sent to it one or more network address of network flow;
The application is forbidden to receive from it one or more network address of network flow;
The application is allowed to be sent to it one or more network address of network flow;Or
The application is allowed to receive from it one or more network address of network flow.
8. according to the method in any one of claims 1 to 3, wherein the application be executed in virtual machine it is virtual
Using, and wherein, one or more calculate nodes of the data center execute the virtual machine.
9. according to the method in any one of claims 1 to 3, wherein the message includes first message, and the method is also
Include:
Second message is sent from the software defined network controller to the firewall component, the second message includes:
The application signature corresponding with the example of the application;And
The application firewall strategy corresponding with the application signature,
Wherein, the second message indicates that the firewall component removes the application corresponding with the example of the application
Firewall policy.
10. a kind of software defined network controller of data center, is configured as:
Receive example of the request to initialize application;And
In response to receiving the request, into the software defined network gateway and the data for being located in the data center
Firewall component between network outside the heart sends message, and the message includes:
Application signature corresponding with the example of the application;And
Application firewall strategy corresponding with the application signature,
Wherein, the message indicates that the firewall component installs the application firewall strategy to be applied to the institute of the application
State the network flow of example.
11. software defined network controller according to claim 10, wherein the software defined network controller is into one
Step is configured as:
The application signature corresponding with the example of the application is requested from the firewall component;
It is retrieved from the application firewall policy library of the software defined network controller corresponding with the application signature described
Application firewall strategy, the application firewall strategy to be applied to the example of the application network flow.
12. software defined network controller according to claim 11, wherein the software defined network controller is into one
Step is configured as:
Determine that the application firewall policy library does not include the application firewall strategy corresponding with the application signature;
Generate the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
13. software defined network controller according to claim 11 or 12, wherein the software defined network controller
It is configured to:
Receive the data for limiting the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
14. software defined network controller according to claim 11 or 12, wherein the example of the application includes
First example of the application, and the application signature corresponding with the example of the application includes and the application
Corresponding first application signature of first example, and
Wherein, the software defined network controller is configured to:
Request is received to initialize the second example of the application;
The second application signature corresponding with second example of the application is requested from the firewall component, wherein described
Second application signature is identical as first application signature;
The application firewall strategy is retrieved from the application firewall policy library of the software defined network controller;And
And
The application firewall strategy is provided to the firewall component.
15. software defined network controller according to any one of claims 10 to 12, wherein the application signature is known
At least one of in the type of the not described application or the version number of the application.
16. software defined network controller according to any one of claims 10 to 12, wherein the application firewall
Strategy limits at least one of the following:
The application is forbidden to be sent to it one or more network address of network flow;
The application is forbidden to receive from it one or more network address of network flow;
The application is allowed to be sent to it one or more network address of network flow;Or
The application is allowed to receive from it one or more network address of network flow.
17. software defined network controller according to any one of claims 10 to 12, wherein the application is in void
The virtual application executed in quasi- machine, and wherein, one or more calculate nodes of the data center execute the virtual machine.
18. software defined network controller according to any one of claims 10 to 12, wherein the message includes the
One message, and
Wherein, the software defined network controller is configured to send second message, institute to the firewall component
Stating second message includes:
The application signature corresponding with the example of the application;And
The application firewall strategy corresponding with the application signature,
Wherein, the second message indicates that the firewall component removes the application corresponding with the example of the application
Firewall policy.
19. a kind of non-transitory computer-readable medium including instruction, described instruction makes to execute software definition when executed
The one or more processors of the data center of network controller:
Receive example of the request to initialize application;And
In response to receiving the request, into the software defined network gateway and the data for being located in the data center
Firewall component between network outside the heart sends message, and the message includes:
Application signature corresponding with the example of the application;And
Application firewall strategy corresponding with the application signature,
Wherein, the message indicates that the firewall component installs the application firewall strategy to be applied to the institute of the application
State the network flow of example.
20. computer-readable medium according to claim 19, wherein described instruction further makes one or more of
Processor:
The application signature corresponding with the example of the application is requested from the firewall component;
It is retrieved from the application firewall policy library of the software defined network controller corresponding with the application signature described
Application firewall strategy, the application firewall strategy to be applied to the example of the application network flow.
21. computer-readable medium according to claim 20, wherein described instruction further makes one or more of
Processor:
Determine that the application firewall policy library does not include the application firewall strategy corresponding with the application signature;
Generate the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
22. computer-readable medium according to claim 20, wherein described instruction further makes one or more of
Processor:
Receive the data for limiting the application firewall strategy;And
By the application firewall policy store in the application firewall policy library.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/890,174 US10742607B2 (en) | 2018-02-06 | 2018-02-06 | Application-aware firewall policy enforcement by data center controller |
US15/890,174 | 2018-02-06 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110120934A true CN110120934A (en) | 2019-08-13 |
CN110120934B CN110120934B (en) | 2021-10-08 |
Family
ID=64572126
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811443201.3A Active CN110120934B (en) | 2018-02-06 | 2018-11-29 | Method, software defined network controller and medium for applying firewall policy |
Country Status (3)
Country | Link |
---|---|
US (1) | US10742607B2 (en) |
EP (1) | EP3522485B1 (en) |
CN (1) | CN110120934B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111193767A (en) * | 2019-11-20 | 2020-05-22 | 视联动力信息技术股份有限公司 | Request data sending method and device and clustered server system |
CN112968879A (en) * | 2021-02-01 | 2021-06-15 | 浪潮思科网络科技有限公司 | Method and equipment for realizing firewall management |
US20210306276A1 (en) * | 2020-03-25 | 2021-09-30 | Juniper Networks, Inc. | Network traffic control based on application feature |
CN114884667A (en) * | 2021-02-05 | 2022-08-09 | ***通信有限公司研究院 | Communication authentication method, device and storage medium |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10826823B2 (en) * | 2018-07-31 | 2020-11-03 | Facebook, Inc. | Centralized label-based software defined network |
US11159569B2 (en) * | 2018-08-20 | 2021-10-26 | Cisco Technology, Inc. | Elastic policy scaling in multi-cloud fabrics |
US10826943B2 (en) * | 2018-08-21 | 2020-11-03 | At&T Intellectual Property I, L.P. | Security controller |
US11627049B2 (en) * | 2019-01-31 | 2023-04-11 | Hewlett Packard Enterprise Development Lp | Failsafe firmware upgrade for cloud-managed devices |
US20200314066A1 (en) * | 2019-03-29 | 2020-10-01 | Cloudflare, Inc. | Validating firewall rules using data at rest |
US11165707B2 (en) * | 2019-04-12 | 2021-11-02 | Cisco Technology, Inc. | Dynamic policy implementation for application-aware routing based on granular business insights |
US11546300B2 (en) * | 2019-05-07 | 2023-01-03 | Comcast Cable Communications, Llc | Firewall system with application identifier based rules |
US11627147B2 (en) | 2019-05-17 | 2023-04-11 | Charter Communications Operating, Llc | Botnet detection and mitigation |
US11044193B2 (en) * | 2019-08-23 | 2021-06-22 | Vmware, Inc. | Dynamic multipathing using programmable data plane circuits in hardware forwarding elements |
US11363041B2 (en) * | 2020-05-15 | 2022-06-14 | International Business Machines Corporation | Protecting computer assets from malicious attacks |
US11463343B2 (en) | 2020-10-07 | 2022-10-04 | Hewlett Packard Enterprise Development Lp | SDWAN overlay routing service |
US11595267B2 (en) * | 2020-12-22 | 2023-02-28 | Huawei Technologies Co., Ltd. | Methods and systems for distributed network verification |
CN112769829B (en) * | 2021-01-11 | 2022-10-04 | 科大讯飞股份有限公司 | Deployment method of cloud physical machine, related equipment and readable storage medium |
CN114553492B (en) * | 2022-01-25 | 2023-07-07 | 杭州迪普科技股份有限公司 | Cloud platform-based operation request processing method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150082417A1 (en) * | 2013-09-13 | 2015-03-19 | Vmware, Inc. | Firewall configured with dynamic collaboration from network services in a virtual network environment |
US20150326532A1 (en) * | 2014-05-06 | 2015-11-12 | At&T Intellectual Property I, L.P. | Methods and apparatus to provide a distributed firewall in a network |
US20150341377A1 (en) * | 2014-03-14 | 2015-11-26 | Avni Networks Inc. | Method and apparatus to provide real-time cloud security |
CN105531692A (en) * | 2012-01-06 | 2016-04-27 | 奥普帝奥实验室有限公司 | Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines |
US20170324781A1 (en) * | 2014-06-30 | 2017-11-09 | Alcatel Lucent | Security in software defined network |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9710762B2 (en) | 2012-06-06 | 2017-07-18 | Juniper Networks, Inc. | Dynamic logging |
US9898317B2 (en) | 2012-06-06 | 2018-02-20 | Juniper Networks, Inc. | Physical path determination for virtual network packet flows |
US20150229618A1 (en) * | 2014-02-11 | 2015-08-13 | Futurewei Technologies, Inc. | System and Method for Securing Source Routing Using Public Key based Digital Signature |
US9641435B1 (en) | 2014-03-28 | 2017-05-02 | Juniper Neworks, Inc. | Packet segmentation offload for virtual networks |
KR101535502B1 (en) * | 2014-04-22 | 2015-07-09 | 한국인터넷진흥원 | System and method for controlling virtual network including security function |
US20170006082A1 (en) * | 2014-06-03 | 2017-01-05 | Nimit Shishodia | Software Defined Networking (SDN) Orchestration by Abstraction |
US10868737B2 (en) * | 2016-10-26 | 2020-12-15 | Arizona Board Of Regents On Behalf Of Arizona State University | Security policy analysis framework for distributed software defined networking (SDN) based cloud environments |
-
2018
- 2018-02-06 US US15/890,174 patent/US10742607B2/en active Active
- 2018-11-29 CN CN201811443201.3A patent/CN110120934B/en active Active
- 2018-11-30 EP EP18209617.2A patent/EP3522485B1/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105531692A (en) * | 2012-01-06 | 2016-04-27 | 奥普帝奥实验室有限公司 | Security policies for loading, linking, and executing native code by mobile applications running inside of virtual machines |
US20150082417A1 (en) * | 2013-09-13 | 2015-03-19 | Vmware, Inc. | Firewall configured with dynamic collaboration from network services in a virtual network environment |
US20150341377A1 (en) * | 2014-03-14 | 2015-11-26 | Avni Networks Inc. | Method and apparatus to provide real-time cloud security |
US20150326532A1 (en) * | 2014-05-06 | 2015-11-12 | At&T Intellectual Property I, L.P. | Methods and apparatus to provide a distributed firewall in a network |
US20170324781A1 (en) * | 2014-06-30 | 2017-11-09 | Alcatel Lucent | Security in software defined network |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111193767A (en) * | 2019-11-20 | 2020-05-22 | 视联动力信息技术股份有限公司 | Request data sending method and device and clustered server system |
CN111193767B (en) * | 2019-11-20 | 2022-07-12 | 视联动力信息技术股份有限公司 | Request data sending method and device and clustered server system |
US20210306276A1 (en) * | 2020-03-25 | 2021-09-30 | Juniper Networks, Inc. | Network traffic control based on application feature |
US11303575B2 (en) * | 2020-03-25 | 2022-04-12 | Juniper Networks, Inc. | Network traffic control based on application feature |
CN112968879A (en) * | 2021-02-01 | 2021-06-15 | 浪潮思科网络科技有限公司 | Method and equipment for realizing firewall management |
CN112968879B (en) * | 2021-02-01 | 2022-04-12 | 浪潮思科网络科技有限公司 | Method and equipment for realizing firewall management |
CN114884667A (en) * | 2021-02-05 | 2022-08-09 | ***通信有限公司研究院 | Communication authentication method, device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
US10742607B2 (en) | 2020-08-11 |
US20190245830A1 (en) | 2019-08-08 |
EP3522485A1 (en) | 2019-08-07 |
EP3522485B1 (en) | 2021-04-07 |
CN110120934B (en) | 2021-10-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110120934A (en) | Method, software defined network controller and the medium of application firewall strategy | |
US11159487B2 (en) | Automatic configuration of perimeter firewalls based on security group information of SDN virtual firewalls | |
US11683386B2 (en) | Systems and methods for protecting an identity in network communications | |
CN108696402B (en) | Session-based traffic statistics logging for virtual routers | |
US10587698B2 (en) | Service function registration mechanism and capability indexing | |
Halpern et al. | Service function chaining (SFC) architecture | |
CN103930882B (en) | The network architecture with middleboxes | |
CN105765921B (en) | For carrying out method, system and the equipment of DIAMETER routing using software defined network function | |
US9253274B2 (en) | Service insertion architecture | |
CN107770066B (en) | Cross-host, cross-VLAN and cross-cluster Docker container diversion method | |
US10938660B1 (en) | Automation of maintenance mode operations for network devices | |
US11303555B2 (en) | Inter-data center software-defined network controller network | |
CN110392108A (en) | A kind of public cloud Network Load Balance system architecture and implementation method | |
CN106464742A (en) | Programmable network platform for a cloud-based services exchange | |
US20210168198A1 (en) | Policy controlled service routing | |
US11652727B2 (en) | Service chaining with physical network functions and virtualized network functions | |
TW201526588A (en) | Methods and systems to split equipment control between local and remote processing units | |
CN115412492A (en) | Policy enforcement for bare metal servers by a top-of-rack switch | |
Arezoumand | End to End Orchestration of Distributed Cloud Applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: California, USA Applicant after: Juniper Networks, Inc. Address before: California, USA Applicant before: Jungle network |
|
GR01 | Patent grant | ||
GR01 | Patent grant |